Thanks for the fast response.
Instead of using the FreeRADIUS users file for authentication, I want to use a custom Python module in the inner-tunnel (I presume) to authenticate the user with a REST API.
Have you looked at rlm_rest? It might be a better solution.
I had not, interesting and thanks for reference. It doesn't look like it would work for me as I need to get/manage access and refresh tokens and have custom needs.
What information does the rest API give you? Or what are you expecting to send to it to check?
The API gets dynamic IPs and validates passwords, otp, and NT hashes.
1) How do I know in the Python module when to get in the middle of the multi-step eap authentication without causing problems?
I don't understand what this means.
If you call rlm_python in the the authenticate section of the inner- tunnel, then it'll be at the right time to do the authentication.
You understood ;-) Read that I should be careful not to shortcircuit the EAP negotiations.
2) How do I get the User-Password?
You can't.
Understood. What I'm really asking is how I can get access from the inner-tunnel to the NT hash? I don't see it passed in. Just the User-Name and EAP-Message. If it is encrypted in the EAP-Message payload, how do I decrypt? Thanks, Gary